How to force changed permissions on moved files

We would like to allow users to move files from one folder to another (within the same directory), and have the file pick up the permissions from the destination folder instead of retaining permissions from the original folder.  How do we set up the folder properties to have this happen?
Links_TechnologyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mark1208Commented:
This is definitely doable and a common file share scenario. Fear not!  :)

Assuming two folders within the same parent directory (e.g. Shared\Folder X and Shared\Folder Y), it sounds from your question like you need files moved from the source folder (Folder X) to inherit the permissions from the destination (Folder Y)?

If that's the case, here's what you're looking for ...

============
     Answer:
============
1. Disable inheritance if the permissions of Folder Y need to differ from its parent folder (Shared, in this case).
a. Right-click Folder Y and click Properties
b. Click the Security tab
c. Click the Advanced button (bottom-right corner)
d. On the Permissions tab, deselect/uncheck "Allow inheritable permissions from the parent to propagate to this object . . ."
e. Click Apply
f. Select Copy or Remove, depending on your preference. If you want to start from a blank slate, select Remove. If you want to retain the permissions from the parent folder as a starting point, select Copy.
2. Add/Remove permission entries to suit your needs, ensuring that an appropriate scope (Apply To/Apply onto:) value is selected for each. The default value ("This folder, subfolders and files") is appropriate in most cases.
Example: Adding "CONTOSO\Domain Users" with "Read Permissions" and Apply onto: "This folder, subfolders and files" gives all users within the CONTOSO domain Read permissions over Folder Y, its contents, and the contents of its subfolders.
3. If Folder Y already contains files and subfolders, and you also want their permissions to match, be sure to check/select the "Replace permission entries . . ." option.

4. Click OK to save your changes. Move a file or folder from Folder X to Folder Y and ensure that its permissions are modified accordingly once moved. (The file or folder's ACL should match that of Folder Y.)

For more information, take a look at:
http://www.windowsecurity.com/articles/Understanding-Windows-NTFS-Permissions.html
http://technet.microsoft.com/en-us/library/cc738585%28WS.10%29.aspx


Hope this helps!
-Mark

0
Links_TechnologyAuthor Commented:
Here's a better description of what is going on:

Shared Folder
  -> Subfolder of user A
  -> Subfolder of user B
  -> Subfolder of boss

Users A & B each have full access to their own folders, and write access to the boss' subfolder (but no read, execute, etc).

The users create invoices that need to be approved by the boss, who then sends them on up the chain for processing.  User A has a PDF in his folder.  He does a right-click drag to the boss' folder and COPIES it there, and the newly created copy has the exact rights we need, the boss has full access to the file.  User B has a PDF in his folder and drags it over to the boss' folder, moving the file instead of copying.  The rights on that file stay the same, the boss has no access to it.  This is the part that we are looking to correct; on a move the permissions are not changing.

Hopefully this makes more sense now.

Thanks!



0
brwwigginsIT ManagerCommented:
By default when you move a file within the same NTFS volume it just updates the reference pointers and retains the permissions. Read the second section of this document

http://support.microsoft.com/kb/310316

Basically, you can make a registry change to affect this behavior however the user requires change permissions.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

mark1208Commented:
Agree with brwwiggins here, though you have a full range of options/workarounds:

1) Go the registry route, per KB310316 (and brwwiggins' suggestion):
  • Set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MoveSecurityAttributes(DWORD)=0 on the client workstations for Users, A, B, etc. (or push these changes via Group Policy if you want to easily target a particular department/workgroup).
2) Move the "Boss" subfolder to a different NTFS volume than User A or User B. (That way file moves pick up inheritance from the "Boss" parent folder, per NTFS rules, instead of retaining their original permissions.)

3) Upgrade the client machines for User A, User B, etc. to Vista or Windows 7 (these OSes now force inheritance on a Move action within Explorer). Reference http://social.technet.microsoft.com/Forums/en-US/itprovistasecurity/thread/99347e70-9eb2-44dd-8c57-c1ff6fd51e93 or http://www.windowsitpro.com/article/permissions/ntfs-inheritance-rule-change.aspx. I am also able to duplicate this scenario favorably using Win7.

4) Create a Scheduled Task to reapply inheritance against the Boss folder. Could be as easy as icacls volume:\Boss /reset /t from the CLI, or as fancy as WMI, PowerShell, VBscript.

Personally, I think #2 requires the least amount of administrative effort (assuming you have a second volume or file server capable of hosting the Boss folder). Good luck!  :)
0
Links_TechnologyAuthor Commented:
brwwiggins,

We tried the registry change that was shown in the second half of that Microsoft article, but documents that are moved are still retaining the original folders permissions.  That wouldn't require a reboot, would it?


Thanks
0
mark1208Commented:
Hi Links,

I just tested this on an XP SP3 client, and the registry setting took effect immediately without reboot. Maybe take a second look and make sure that the MoveSecurityAttributes key was added as a DWORD value to the correct location (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer)? Screenshot attached.

Also, make sure that the registry change is being done at the client-level and not on the server. You might also test with a local set of folders, just to make sure that everything is working as advertised. Again, the change was instantaneous for me both locally as well as when moving files remotely via UNC or mapped network drive.

Hang in there!
-Mark

regedit.jpg
0
Links_TechnologyAuthor Commented:
Ah, that's what I missed; I did it on the server, not the clients.  I will try again from the client side and see how it goes.  Thanks!
0
mark1208Commented:
Hi Links, just following up on this issue. Did apply the registry change at the client level produce the intended results? Did any of the other proposed workarounds resolve your problem?

Thanks,
Mark
0
Links_TechnologyAuthor Commented:
Hey guys, sorry to be so late responding, but yes, this did work for us.  Once we got that entered on all the client machines everything worked perfectly.  Thank you both for the help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.